SQL Injection Risk in Product Table and List Builder for WooCommerce Lite by WordPress
CVE-2026-2232

7.5HIGH

Key Information:

Vendor: WordPress
Status: Product Table And List Builder For WooCommerce Lite
Vendor: CVE Published:; 19 February 2026

What is CVE-2026-2232?

The Product Table and List Builder for WooCommerce Lite plugin for WordPress exhibits a time-based SQL injection vulnerability. This issue arises from inadequate sanitization of user-supplied parameters in the 'search' function, leading to insufficiently prepared SQL queries. Attackers, who do not require authentication, can exploit this flaw to inject and execute unauthorized SQL commands, potentially extracting sensitive data from the database. This vulnerability highlights the critical importance of proper input validation and prepared statements in securing web applications.

Affected Version(s)

Product Table and List Builder for WooCommerce Lite 0 <= 4.6.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wc-product-tab...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 19, 2026
Vulnerability Reserved
Feb 8, 2026

Credit

Nguyen Ba Hung

CVE-2026-2232 Data

JSON